1.6.4 Procedure to enable HTTPS connections (Linux 8)

Before you begin

• Log in to the JP1/AO server as a user with root permissions.

• Stop the JP1/AO service.

  For non-cluster systems:

  Execute the hcmds64srv command with the stop option specified.

  For cluster systems:

  Use the cluster software to bring the service offline.

To enable HTTPS connections:

1. Open the user_httpsd.conf file from the following location:

   Common-Component-installation-directory/uCPSB11/httpsd/conf/user_httpsd.conf

2. Within the user_httpsd.conf file, do the following:

   • Uncomment the following lines by removing the hash [#] signs:

     #Listen 22016

     through

     #HWSLogSSLVerbose On

     with the exception of #SSLCACertificateFile and #Header set Strict-Transport-Security max-age=31536000, which must remain commented out.

     For an IPv6 environment, remove the hash mark (#) at the beginning of the lines #Listen [::]:22016.

   • Edit the following lines as required:

     ServerName in the first line

     ServerName in the <VirtualHost> tag

     SSLCertificateKeyFile

     SSLCertificateFile

     #SSLCACertificateFile

     When using a certificate of the certificate authority, delete the hash sign (#) from the line #SSLCACertificateFile, and specify the certificate of the certificate authority by using an absolute path.

     Important

     To block non-SSL communication from external servers to the host, comment out the lines Listen 22015 and Listen [::]:22015 by adding a hash mark (#) to the beginning of each line. After you comment out these lines, remove the hash mark (#) from the line #Listen 127.0.0.1:22015.

     When editing directives, be aware of the following:

     • Do not specify the same directive twice.
     • Do not enter a line break in the middle of a directive.
     • When specifying paths in the following directives, do not specify symbolic links or junction points.
     • When specifying certificates and private key files in the following directives, specify PEM-format files.
     • Do not edit httpsd.conf and hsso_httpsd.conf files.

     The following is an example of how to edit the user_httpsd.conf file. The numbers represent the default ports.

     ServerName host-name
     Listen [::]:22015
     Listen 22015
     #Listen 127.0.0.1:22015
     SSLEngine Off
     #Listen [::]:22016
     Listen 22016
     <VirtualHost *:22016>
     ServerName host-name
     SSLEngine On
     SSLProtocol +TLSv1.2
     SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256
     # SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256
     SSLCertificateKeyFile
     "Common-Component-installation-directory/uCPSB11/httpsd/conf/ssl/server/httpsdkey.pem"
     SSLCertificateFile
     "Common-Component-installation-directory/uCPSB11/httpsd/conf/ssl/server/httpsd.pem"
     # SSLCertificateKeyFile
     "Common-Component-installation-directory/uCPSB11/httpsd/conf/ssl/server/ecc-httpsdkey.pem"
     # SSLCertificateFile
     "Common-Component-installation-directory/uCPSB11/httpsd/conf/ssl/server/ecc-httpsd.pem"
     SSLCACertificateFile
     "Common-Component-installation-directory/uCPSB11/httpsd/conf/ssl/cacert/anycert.pem"
     # Header set Strict-Transport-Security max-age=31536000
     </VirtualHost>
     HWSLogSSLVerbose On
     

3. Start the JP1/AO service.
4. Update the JP1/AO URL by using the hcmds64chgurl command to do the following:
   • Change the protocol from http: to https:
   • Change the port number used for secure communication.